Based in | Switzerland |
Storage | 5 - 20 GB |
Price | $4.00/mo. |
Free Tier | Up to 500 MB |
Website | ProtonMail.com |
If you want to protect your email from prying eyes, but don’t need the kind of protection that keeps spies and whistleblowers alive, ProtonMail could be the secure email service for you. It utilizes PGP encryption standards, is based in Switzerland, and has a solid reputation in the privacy community.
Because ProtonMail positions its service as one of the most secure email options available, above and beyond other secure email providers, we’re really going to put it under the microscope.
At the end of the day, only you can decide which is the best secure email service for your unique needs and threat model. Now let’s get started.
+ Pros
- End-to-end (E2E), or zero-access encryption for Email, Calendar, and Contact information
- Officially under Switzerland jurisdiction
- All data stored on servers in Switzerland
- Apps for Android and iOS mobile devices
- Web client, encryption algorithms, and iOS code are all open source
- Strips IP address from emails
- Can be used with email clients through the ProtonMail Bridge feature
- Can import contacts and emails through the bridge
– Cons
- ProtonMail does not encrypt email subject lines
- Utilizes phone number verification
https://ProtonMail.com/
ProtonMail features overview
ProtonMail utilizes strong end-to-end and zero-access encryption standards to protect all email, contacts, and calendar data. That means all your data is encrypted when stored on ProtonMail servers (but not email subject lines). Aside from this multi-tiered encryption system, ProtonMail has several interesting features, including:
- The ability to send “self-destructing messages,” which are automatically deleted at the time the sender specifies.
- Address Verification, a way to ensure that a Public Key received from another user hasn’t been tampered with since you first verified it.
- Full PGP support.
- Premium accounts with a range of additional benefits, including a brandable Business account.
- The ability to send encrypted emails to non-ProtonMail users.
- Android and iOS mobile apps.
- ProtonMail Bridge, which allows ProtonMail to integrate with other email clients that support the IMAP and SMTP protocols. This also allows you to import emails into your ProtonMail account from other services.
Overall, this is a good lineup of features.
Note: At the time of this ProtonMail review, the beta version of ProtonMail 4.0 was scheduled to go live “soon.” While I haven’t seen an official list of 4.0 features, the ProtonMail 2019 Roadmap states that their goals for 4.0 include:
- Encrypted Search
- Conversation View
- Multi-user support on mobile devices
- Encrypted Calendar
ProtonMail company history and funding sources
The ProtonMail family of products is run by Proton Technologies AG, a company based in Geneva, Switzerland. The founders met while scientists at CERN and came up with the idea for ProtonMail in the CERN cafeteria, as the story goes.
Funding for ProtonMail has come from various sources over the years. Aside from regular paying users, Protonmail has also benefited from the following funding sources:
- In 2014, ProtonMail launched an Indiegogo crowdfunding campaign which brought in over half a million dollars.
- In 2015, ProtonMail accepted a $2 million investment from a US-based firm called Charles River Ventures (CRV).
- In 2019, ProtonMail accepted €2 million from the EU to “develop a suite of encrypted services.”
ProtonMail is a bit more expensive than some of the other secure email services we’ve reviewed, such as Tutanota and Posteo for example.
ProtonMail does not encrypt email subject lines
One concern I have is that ProtonMail does not encrypt the subject lines of messages. From the ProtonMail website:
All ProtonMail data at rest and in transit is encrypted. However, subject lines in ProtonMail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages. Your message content and attachments are end to end encrypted.
ProtonMail complies with the OpenPGP encryption standard. In that standard, address-related metadata is part of the message header and must remain unencrypted to allow a message to reach its destination.
The ProtonMail approach makes them compliant with the PGP specification, but leaves this potentially revealing data unencrypted.
We will return to this important subject more below.
ProtonMail servers and data security
All ProtonMail servers are physically located in Switzerland in secure facilities. This means user data is protected by Swiss law, which generally provides for better privacy than USA or EU law.
However, ProtonMail makes it clear that if you violate Swiss laws, and they receive a Swiss court order, they will have to turn over whatever information they have on you to the Swiss authorities. This is where the lack of encryption for the Subject line of messages can become a problem.
While the bodies of your messages and any attachments should remain safely encrypted, addressing information and the Subject lines of your messages are stored in the clear and would be provided to the authorities. This information is enough to give anyone possessing it a good idea of who you communicate with and the subjects you discuss with them.
Some people also question how free from USA and EU influence Proton Technologies really is. They have two international support centers, one in San Francisco, California (USA), and one in Skopje, Macedonia (Macedonia is a candidate for EU membership).
All that said, the ProtonMail threat model document specifically states that,
“we cannot guarantee your safety against a powerful adversary.”
The spy agencies serving the USA and EU definitely qualify as “powerful adversaries.” So if you decide to take on one of the Five Eyes, violate Swiss laws, or something equally crazy, using ProtonMail is unlikely to save you.
ProtonMail technical specifications
ProtonMail uses a variety of encryption algorithms to protect your messages. All messages are end-to-end encrypted and also remain encrypted in your mailbox until actively being read. The algorithms they use are open source versions of AES and RSA along with OpenPGPjs algorithms:
- AES-128
- TLS 1.0
- DHE RSA
- SHA 3
QuoVadis Trustlink Schweiz AG signs SSL certificates for ProtonMail.
Security features of the certificates include:
- Extended Validation (EV)
- Certificate Transparency (CT)
- 4096-bit RSA
- SHA-256 hash
ProtonMail hands-on testing
If you’ve used email services like Microsoft Outlook or Gmail, you will find ProtonMail to be easy to work with. For this review, we’ll be looking at ProtonMail Plus plan, the first tier of paid ProtonMail service. At this time (April, 2020), you need to have a paid ProtonMail account and access the beta version of the product to use some of the newest features, such as their new encrypted Calendar.
Creating a ProtonMail account
Creating an account with ProtonMail is pretty self-explanatory. You can get an account in a matter of minutes:
- Go to the ProtonMail website.
- Create a username and password. (Recovery email is optional.)
- Go through the verification steps
Next you will need to go through a verification process, but you do have different verification options you can select:
I’ve seen complaints about ProtonMail forcing people to go through phone (SMS) verification when signing up through VPNs or over the Tor network. Although I don’t like how ProtonMail is utilizing SMS verification, it is important to protect the service from spammers and bots.
Signing in to ProtonMail
Signing in to ProtonMail is easy and straightforward. Simply go to the homepage and enter your login credentials. To get access to all the features we will discuss in this review, you need to have at least the ProtonMail Plus plan, and select the BETA link circled in red (below) when logging in.
When using ProtonMail, you have the option to create a recovery email inbox, which can be used if you lose your password. Once you sign into ProtonMail, you can stay with the free plan indefinitely, or you can upgrade to one of the paid plans. As is common with most secure email services, the paid plans offer more storage and additional features over the free plan.
As we go through this ProtonMail review, I’ll let you know which features are available only in a paid plan.
The look and feel of ProtonMail
ProtonMail has a pretty standard interface, with a 3-pane “Row View” layout (we saw that when talking about encrypted subject lines earlier) , as well as the “Column View” option here:
Before we go further, look carefully at the top-left of the preceding image. The three icons that appear there if you have a paid account and are using the beta version of ProtonMail you to switch between different sections of ProtonMail. From the top, they are: ProtonMail, ProtonContacts, and ProtonCalendar.
We’ll talk about ProtonContacts and ProtonCalendar once we finish with ProtonMail.
With Column View, you get all the usual folders in the left-most pane, with the ability to add any custom ones you wish. In the center is the message list, with the body of the selected message displayed in the right-most pane. Once you start using it, you’ll notice that like other privacy-oriented mail services, ProtonMail blocks remote content like images by default, giving you the option to load them right at the top of the window.
ProtonMail Settings
You can customize the layout of your ProtonMail inbox by clicking the Settings icon, then selecting Appearance in the left-hand column of the Settings window. For example, I used the Layouts section of Settings to switch back and forth between the Row View of the inbox and the Column View.
Exactly what you can do here will of course depend on which ProtonMail plan you subscribe to. We’ll look at differences between the plans later in the review.
Composing messages with ProtonMail
You compose ProtonMail messages in a pop-up composition window with a good set of HTML formatting options, including inline images. Once you get used to the layout, the composition window makes including things like Attachments, an Expiration time, a Read Receipt Request, and Encryption fast and easy. You can adjust the size of the composition window in Settings.
There are a few keyboard shortcuts that help with composing messages. But you won’t find more advanced editing features such as macros and automatic suggestions.
Sending messages to non-ProtonMail users
Like some other secure email services, such as Tutanota and Mailfence, ProtonMail gives you the option to send encrypted messages to people who don’t use ProtonMail. The recipient will need to know the shared password you are using, so that will need to be arranged outside the system. These encrypted messages automatically expire in 28 days (but you can set a shorter date if you wish).
The recipient will see something like the following in their Inbox. If they enter the correct password and click the View Secure Message button, they will be able to see the message you sent them.
This system seems to work very well, as long as you can share the password outside the ProtonMail system to get the process started.
Searching for messages in ProtonMail
ProtonMail has a very limited ability to search your messages. Because messages are encrypted (except while you are actually viewing them), the client can’t search message bodies. This, of course, can be frustrating and really limit your ability to find the message you are looking for.
Updated search functionality – Version 4 of ProtonMail has improved search capabilities compared to previous versions. Message body searching is still not available, but searches are much faster, and you can use complex search terms such as:
(cat -dog) | (cat mouse), which would match text that includes ‘cat’ and not ‘dog’, or ‘cat’ and ‘mouse’
The ProtonMail client works smoothly although there can be a delay when opening a message, given that the message must be decrypted before you can read it. Since the client is browser-based, instead of a stand-alone app, you might find that it slows down as the number of messages in your folders increase, but I wasn’t able to test this.
Comparison to Tutanota search – In comparison, Tutanota (another fully-encrypted email provider) has been offering full-text search capabilities since 2017. To do this, Tutanota creates an encrypted search index which can then be searched locally on the users’ device.
ProtonContacts
The ProtonContacts secure contact manager is integrated into ProtonMail, giving users a secure way to protect their contacts while functioning smoothly with ProtonMail.
ProtonMail creates ProtonContacts encryption keys for you. It uses those keys in their zero access encryption system to encrypt clear text contact data, ensuring that once they do encrypt your data this way, even ProtonMail can’t read it. ProtonContacts also uses digital signature verification to ensure that no one else can secretly tamper with your contact information. ProtonContacts is also implemented in the mobile apps.
Note that email addresses in contacts are not encrypted using zero access encryption. Why? Because ProtonMail needs to be able to read the email address to make sure your message gets sent to the right place.
ProtonCalendar
Building an encrypted calendar sounds pretty easy at first. Just encrypt all the data until the user opens the calendar, then decrypt the data for them. But just as an email service has to interact with other email services, a calendar service needs to be able to interact with other calendar services. Even worse, a full-powered calendar system needs to be able to share events with other calendar systems. The ProtonMail team battled with this complexity for over a year, and on December 20, 2019, they announced the arrival of ProtonCalendar, their solution to this complex set of problems.
ProtonCalendar is still in early beta. The final version will include:
- calendar sharing
- event invitations to anyone (whether they use ProtonMail or not)
- the ability to sync the calendar with events found in your ProtonMail inbox
ProtonCalendar is also scheduled to be added to the iOS and Android apps at a a future date.
The ProtonMail mobile apps
ProtonMail has apps for both iOS and Android. I’ve been working with the Android app and it looks good and functions smoothly. At the time of this ProtonMail review, the Android app had almost 24,000 reviews with a solid rating of 4.5 out of 5 stars.
At the time of this review, ProtonMail’s Android app is not open source and is not available on F-Droid.
On October 30, 2019, the company announced that their iOS app is now open source. This app gets a score of 4.3 out of 5, with over 1,200 reviews.
Is ProtonMail really secure?
There is a lot of debate out there about how secure ProtonMail really is.
Aside from the financial ties to the US and EU that we discussed earlier, there have been some criticisms of the service on other grounds as well.
- The browser client uses JavaScript encryption libraries. These are considered to be less secure than the libraries used in the ProtonMail mobile apps.
- Leaving the Subject field in the clear (for PGP compatibility) means more data could be exposed to those spying on the message traffic.
- A paper published at the end of 2018 criticized ProtonMail’s cryptographic architecture on a number of grounds. However, these same criticisms could be applied to any browser-based email client (not just ProtonMail). Here is the response from ProtonMail.
On the subject of using PGP, there are also some benefits in terms of security. OpenPGP is an open standard, which has been extensively audited for security, and is battle tested, and well proven to be secure. ProtonMail also the maintainer of OpenPGPjs, which is the most widely used open source encryption library and has therefore been thoroughly audited.
Lastly, we also have to keep in mind that ProtonMail is arguably the biggest name in the private email space. This makes it a good target for criticism, as we have also seen with NordVPN, the largest VPN provider.
ProtonMail business features
ProtonMail also offers a service for businesses that provides “end-to-end encryption to secure your business communications.”
This service includes migration tools and dedicated support to transition your business from its current hosting to the ProtonMail infrastructure. It incorporates a user hierarchy allowing your Email Administrators to manage user accounts appropriately.
Given the current limitations with search and calendar, I’m not sure ProtonMail would be a great fit for businesses that need all these features. There are other good options that are more fully-featured, such as Mailfence or Mailbox.org.
ProtonMail cost and pricing plans
Since they don’t display ads in their clients, or sell access to your messages to advertisers, ProtonMail charges for their services. As you can see below, ProtonMail has four pricing plans, including a free tier with 500 MB of storage.
The Free plan, with 500 MB of storage, 150 messages per day, and 3 folders / labels could be enough for you. If not, one of the paid plans will likely meet your needs.
Note that the Free, Plus, and Professional plans all offer ProtonVPN as an option, while the Visionary plan has the VPN built in.
ProtonMail alternatives
While there are several secure email services on the market, Tutanota is the first alternative I would suggest. Rather than using PGP and S/MIME, Tutanota has rolled out their own encryption standard incorporating AES and RSA, which encrypts the subject line, supports forward secrecy, and can be updated/strengthened over time. Tutanota has also rolled out a fully-encrypted Calendar feature and is much better than ProtonMail about open-sourcing their clients.
My verdict: Tutanota is the best alternative to ProtonMail in the high-security category. (It is based in Germany.)
There are other alternatives to ProtonMail that offer a lesser degree of encryption and security, but with more features:
- Mailfence is a Belgium-based email that has many features, integrated PGP support, and it works well for groups/teams.
- Mailbox.org is another good option based in Germany with many features and options for teams.
Both Mailfence and Mailbox.org support custom domains.
ProtonMail review conclusion
ProtonMail is a polished and popular end-to-end encrypted email service that will meet the needs of many regular users.
As the most popular secure email service on the market, with a free basic account, it is a great option for regular encrypted communications with friends, business partners, and others who want protection from routine snooping and hacking. For those who want maximum security, with full encryption of subject lines and strong data security, Tutanota might be a better fit.
Is ProtonMail the best secure email service for you?
I can’t tell you that since everyone’s needs are different. There are many factors to consider when selecting a secure email provider and the choice all comes down to your own preferences.
You can learn more about ProtonMail on their website here:
https://ProtonMail.com/
Alternatives to ProtonMail
We have reviewed about a dozen alternatives to ProtonMail. Click the email provider below to see our full review. These are the top alternatives:
And you can also check out our full lineup of recommended secure email providers.
ProtonMail Review
-
Rating
@Sven,
You’re welcome. Glad to help.
@Sven,
BIG update from Protonmail.
They are now completely open source.
This just hit: https://protonmail.com/blog/android-open-source/
From what I saw, they address the last bullet con in your list above.
Android app, IMAP bridge, and iOS are all open source with outside investigation.
They have published the findings in the above article plus a detailed explanation of how the android is protected here: https://protonmail.com/blog/android-client-security-model/
Now…can they migrate the app to F-Droid? Hopefully soon 😁
Great, thanks for the heads up J.M.
This is root related – to April 16th, @ Will W. – J.M.
and just about anyone else that happening to visit and view this.
It’s my sharing of information as I’ve read around the web:
See – https://restoreprivacy.com/privacy-tools/#comment-77255
and refresher – https://restoreprivacy.com/privacy-tools/#comment-76790
Thank You
@sonar,
I agree with what you are saying in your last comment.
You asked the question, who doesn’t take the time to look at what is being sold and how their privacy is being used.
I would say that it is beyond just them not looking deeper. I honestly don’t think they care.
@J.M. – (bear with purpose)
In the Spirit of Restore Privacy as this site, I believe in it.
So how is one reader over another, to understanding in your data’s privacy, as with the sites main purpose is – 1st. to inform, 2nd. present solutions, 3rd. raise discussions with comments/replies. Geared in directions of your online world’s use of the devices you own. Especially regarding the personal loss in data’s privacy as all of this imposes to the user as being cataloged and profiled across their Internet’s usage by tracking.
[[ Google Analytics is a free website analytics service offered by Google that gives websites owners insights into how users find and use their website. With Google Analytics, sites can track return on investment (“ROI”) for your online marketing. Sites can sift & sort their visitors with dozens of “dimensions” like where they came from, what browser they are using, etc and with “metric” like what page they clicked on and what form they submitted. Sites can seamlessly integrate Google Products like it’s Ads account & Search Console. Sites can also use tracking codes to tag & track any advertising, social, PR campaign or any kind of campaign on any platform/website. All websites have to do is install a small amount of “tracking code” on each page of their website. ]]
***Only a small “tracking code” on each page of the website – allows sites to tag & track visitors on any platform/website. *** – – That’s a lot of POWER consolidated, as well coherently being logically connected back to GOOGLE !!!
I can see 1st timers here quitting – the weak at heart to understanding their online privacy. Returning visitors learn all to soon that this is a vast area that is to be understood, that don’t mean they stop exploring the topic’s here of online Privacy.
Please explain as I don’t see this part to be understood clearly. How this is related – that you’ve said.
“I would say that it is beyond just them not looking deeper. I honestly don’t think they care.”
About the mention, to time needed as questioning of what is being sold basically as a service/software to it’s online personal use, to then any minus effects it has on your data’s privacy. I agree this should have a set priority as being weighed out too – in one’s own self threat model.
– If that’s what came to mind when you read this I wrote:
“*At the end of the day, most people simply do not want to take the time to look beyond Google and Facebook use, that is, to learning how they can better protect their personal data. Gents and/or Ladies if that’s the case, I’m glade we’re all here trying to learn!
We are all taking those steps and the time to put back equilibrium and a halt to that monitory drive against our users digital privacy online.*”
That statement has nothing to do with not caring as it’s core – but a welcoming to our brothers and sisters as would want to learn and do care. Hope you’ll agree we are all here for this purpose, and then to most of us that means learning as our time and ability allows.
Thanks J. M.
Thank you Sir – Sven the hiccup bug on replies lives no more… ; ) Yea…
@sonar,
I basically was meaning that there are many who just could care less what is sold and what info is kept.
I know two people who have questioned me why I pay for a ProtonMail. I told them and the result was, ah, Google is free and they don’t bother me.
Even when sending them links on this site they say, “too much. Please don’t send me more.”
There is not even the precursery inkling to even look deeper. If it fits and works and they only have to juat sign up…well, that is fine.
I know that one person is using Yahoo. I showed them three times where Yahoo was hacked and info taken. The answer is, “I am fine. Please don’t bother me with it. It works and I don’t want to switch”.
That is what I mean.
Yep that’s a shame they be so tunnel visioned to their using the web. Advertisements honing and shaping their subconscious not to mention the IP diary that kept on them wherever they go online.
One day they know this from their poor privacy hygiene and are welcome here to feast.
If that be them shopping for any kind of insurance and only see three companies offering two prices in their area of coverage given, and it starting at a high price and even gets higher in the three.
To the content links that’s shown of their search’s made, going on sorption with their neglect that allows AI to learn and study them, then shapes their online world to that underlying Analytics online-advertising ecosystem they don’t care about.
Really they are a danger to themselves unless they have a money tree going out back… Personally I wouldn’t want to pay more!
@sonar,
Agree. Well, it is a long distance change. Not a sprint and so I just take my time.
@ Will W. – J.M.
and just about anyone else that happening to visit and view this.
In NO other words, GOOGLE Analytics –
When users privacy forms the bases of a conversation using modern tech, it can’t seep any disbursement overall to the dominating ruler(s).
The titans towering high above are not guardians of our rightful place to revest peace of the mind, person, device, home network, and in our use of the web in with it’s far reaching echelonment surveillance.
I believe this is true – in it’s first part, Because Of Google (and other power house big tech conglomerates !), as their memoiristic role is to log your chronobiology in an historical online stratagem, where they’ve accounted for you based on their personal knowledge to overarching that impelling of people’s data in web use. A folder then, as something fashioned to an evolutionary genetic drift, like how your DNA can tie you back to many generations before of your ancestral sect, and their migration of the globe.
Imagine that your privacy needs a multi-sided fortress. If a side isn’t covered, then an enemy can learn away into your privacy of your digital life. Therefore, as vital is the need in that you make sure you receive adequate protections in the places that are important.
On the second part, in our own data migration across the globe being of a digital means as to back-end systems of users supplied digital data exhausts out to their company records. And, as well as for our digital device meta-data footprint on the servers hops as wherein a technology matrix of a modern web is prime to extracting of it.
Google alone accounts for it’s deployment of hidden tracking on 76% of websites across the Internet (that reads WORLD), a big chunk in monitoring your every move just within it’s own ecosystem.
Your Personal Privacy and the Internet – It’s as important to understand as opposites like oil is on water of their insolubility differences, if we were to disperse users privacy as oil molecules throughout an disdainful aqueous solution as of the web, this mixed system would spontaneously separate or (unmix). Where as just our using the web we are soluble for assimilation and packaged with each returning visit as their commodity articles of commerce in the information data brokers business.
At the end of the day, most people simply do not want to take the time to look beyond Google and Facebook use, that is, to learning how they can better protect their personal data. Gents and/or Ladies if that’s the case, I’m glade we’re all here trying to learn!
We are all taking those steps and the time to put back equilibrium and a halt to that monitory drive against our users digital privacy online.
Googles ecosystem of an early start has us and the world in need of more F-Droid offerings. Other countries stepping up or at least locking down Googles reach in their countries. Necessity is the mother of creation engendering back down to our digital privacy!
Thank you ; )
“Because Of Google (and other power house big tech conglomerates !), as their memoiristic role is to log your chronobiology in an historical online stratagem, where they’ve accounted for you based on their personal knowledge to overarching that impelling of people’s data in web use.”
This is so poetic and tragic at the same time, because it is True. I am just a generic consumer who has been so flummoxed by the ongoing invasion of privacy – and the lack of concern by users – that I often wish to time travel and return to the days of Pen and Ink. There is such a fine line between accepting convenience and ceding control. This site is wonderful because of the conversation, debate, questions, and sparks freely shared and offered. However is also SO frustrating! To be excited to find an answer, then discover that answer is also compromised. (Ie. Mozilla, yay! But Soros, oh crap.)
It seems that every field contains both rabbit holes and fox. Mines. Traps. Few answers, just more questions. And all I seek is a trusty browser and an email address that does not collect and create a decades long novel of my mundane daily life.
I will hope that more people ponder “privacy”. And that instead being painted into tin hat, the queries about privacy, tracking, data mining, profiling – asked for self and children – will appear to be practical helmets in this silent war.
Aman – brother or sister and greetings, keep sharing and learning.
That part you quoted was from a spark I get from my subliminal eye as when I read with an intent to answer most of these things you brought up. Thank you for the keen observation and kindness. I’ll admit it’s perplexing as more deeper the layers are uncovered, makes it seem a loosing fight. You might have a look here as this replaces a VPN and Ad Blocker. It’s new and I’d love to give it a spin except for the cost.
https://restoreprivacy.com/how-to-be-anonymous-online/#comment-73185 . . . . The part of – at J M on privacy#2,
Fear not the sky’s not fallen – and no I don’t wear a tin hat though sometime I might sound like I do. There’s not such a thing as clouds, mere network of servers (banks of servers – like open air multistory parking garages) that pass us around the web, and to the things some are foolhardy enough to store there, and in the end what goes up must come down. Shame for anyone to think there is just one set of footprints of yourself from your web search to clicking a link.
You might like this I added sometime ago, my handle then was different as I used HardSell. I’m not much beyond that point there, but now seeing deeper into the layers.
https://restoreprivacy.com/privacy-tools/#comment-60265
I’ve gave alot of content to that tools topic as both aisles hope you’ll spend some time reading there. Knowledge is a tool in the hand as is logic reasoning in the mind. I’ve built all my live with my hands and my mind, now I’m trying to build with my mind and words to imprint with images.
I can’t leave you without some kind of an outline to have:
My devices Strong Foundation:
– Hardened OS. or (Root access if possible)
– Third party FireWall. (Firewall that blocks everything’s contact to the web by default, and the first time anything tries to enter or leave your system, your alerted (pop-up) to set an action for it from that point onward regarding it’s role in your devices network setup.
– VPN service. (Hides your true location and encrypts all your devices generated network traffic – installed to the system / because browser extension(s) VPN’s ARE NOT CAPABLE OF THE SAME FUNCTIONS Device Wide or simply their being offered as a watered down version to mimic a real VPN’s functions.
– Private Secure Browser /W/ Private Search Engine. (Separate programs and Working in Tandem when going online).
– Ad blocker. (Install to the system, some do their work in blocking online ads, but also on your installed apps that display ads too when opened and ran on the system. Kudos for the ones (Ad Blockers) offering advanced settings that dials into the specifics of your devices privacy – Ex: hides search queries, strips tracking parameters, hides your user agent, hides your IP address, etc, etc…).
– Password Manager. (Besides securely storing passwords and other personal and accounts info [locally is my preference/never trusted Cloud Storage]. CS is basically for syncing same info to multiple devices you own and that would have go online to do it.
(Password Managers are capable of your longer stronger passwords generation than the average person would normally use and retain on their own).
– Secure email /W/ Secure Messenger. (Separate programs again – Look to them offering end-to-end encryption of your data for a true zero-access provider. That would be the encryption happens locally on the device (browser – app) and it’s done (only with access) from the users end to decrypting said data / and never the only encryption offered is to happen on their servers end but in your account there. ‘Employees and the company partners’ then may very well have access to the servers decryption key and then to accessing your mails data.
About the Winston project, it’s only for the home or office as not made it to mobile side yet mobility. _Winston is a hardware device. The device sits inline with your router and protects every device on your WiFi — all computers, tablets, phones and internet-enabled devices.
_Winston also has a software component. Software in Winston is updated on an ongoing basis to insure that your protection is current, and there are browser extensions that allow you to manage your privacy on-the-fly while on the internet. _Winston works as a distributed private network — a decentralized platform, built on Ethereum, with no logging. Virtual private networks (VPNs) are not only unreliable but expose you to logging of your information. Most importantly, _Winston opts you out of invasive internet surveillance that compromises your security and identity. _Winston resets the norm and makes internet privacy settings work for you — not on behalf of surveillance tracking.
Good Day
@Sven,
Update: Bridge is now open source.
Android app is soon to be!
https://protonmail.com/blog/bridge-open-source/
To add, this article and in fact their entire blog is really good.
@Sven,
Forgot to also ask, does this also change your last bullet point on the CON list?
If it is opening up everything that moves that from the con to the pro.
Great thanks for the info.
Sven – J.M.
[https://restoreprivacy.com/email/reviews/protonmail/#comment-78663]
I concur with the sites overall opinions of review, but users try and conjure up a concourse of and in relationships to any of each spoken mail service.
This can seemingly dispose a person to a David and Ggoliath concept (a young shepherd armed only with a sling, beats Goliath as the mighty warrior).
Where espouse in one’s proportion to arrangement of an seemingly aristocratic favoring, and the other clearly lacks or as disproportional equivalent, and as it’s unappreciated of their merit to a users privacy of their private data in it’s network travels.
Resulting to looking no further and with plantar flexion’s to move away from their further focus in study given of smaller companies offering.
This 15 minute and 40 second Ted Talk, really breaks down in it’s points of One and Two often overlooked facts as giants are not as strong and powerful as they seem. [https://www.youtube.com/watch?v=ziGD7vQOwl8]
Jump to the weighting out part [https://youtu.be/ziGD7vQOwl8?t=354] of difference by assembly in user privacy to carnage a company does impose.
The man at heart and profession, is a journalist, author, and public speaker and his full words built as images used is a good fabric of a mental picture established to others. [https://en.wikipedia.org/wiki/Malcolm_Gladwell]
**Personally I think our mind’s, of great details in the process of reasoning, as it’s a controlling and coordinating center of our nervous system and the seat of our own thoughts, memories, wills, perceptions, emotions, and to cognitive weighting out with empirical judging as best for ourselves in any situation.
As for Proton as the giant (or any other Goliath) and for Tutanota as the underdog (or any other David) in the email industry.
In other words, your seeking a level in privacy and the security of that privacy idea brings you, is calming to you. How much of an industry’s hype plays a roll – what really means and brings a difference overall at the table as to saying I’m here.!!!.
Then to understand extremes of, a mosaic patchwork assemblage in a kaleidoscopic direction – where as compared to direct directions as being, organic originating, or operating in or at the grassroots level to offer a solo solitary based encryption concept to users mail privacy.
This can be as the soul in users definition of their needs, as if it’s of a Frankenstein in a creature or yet the monster behemoth to an ugliness in users privacy overall to encryption means.
Where individual remedies redressing electronic mails clear texts evilness of any kind that lay undermining it’s users privacy.
Small means having less of a footprint as the business towards a company wise, where you don’t have partners and affiliates that larger companies are chained too.
Small means the company has set itself up to not sharing and tries to run as self sufficient as possible, without what a small company necessitates as business deemed in order to be in the business they offer online.
Thank you.
PS: Sven is the site’s user reply to comment hiccup as it’s noticed by some, would that mostly be at or thereafter in timing to – as new a review is released offered on the site and/or of updating an old one?
We go through a good period and all is well and then bam it’s back. Maybe with moving to the new, privacy-focused analytics platform (Fathom), has some undertones to be of significance in a consequence as this reoccurs.
(Two desktop browsers, android still using startpage app all fail to be able to make direct reply to any comment.) Thank you
It is a pesky javascript bug that resurfaces sometimes when doing site updates. I’m working on this again. Sorry for the inconvenience.
@sonar,
There is a lot here, so I will try to be concise.
I love the analogy of David and Goliath and that is what it seems in this case. Let me give a summation. Sometimes, the Behemoth just works.
Now, I am all for the under dog. In fact, Tutanota (in this case) was my first choice. As said, I was willing to just pay full price.
In regards to hype, every company brings that to the table. The only company that I have not had hype from has been my NPO’s ISP. We dropped a major corp. and switched to them. Locally owned and operated, excellent customer service, blazing speeds (I am about 50-60 MBPS up and download speed), and they let their product talk for them.
Outside of that, all companies have their hype. I read a blog by Tutanota and the images of the author in pencil form had him in a boxing stance to look hard. Cheezy? Maybe. But hey, it works for them so, ok. I am familiar with funding and outside influence with funding. I almost went with PIA but I am so glad I didn’t :). I just want something that works. If Tutanota and Proton was reversed in my experience, I would have been a major supporter.
The aspects that David has against Goliath, is it takes MUCH, MUCH, MUCH more to engage and take steps. The “David’s”? They see opportunities and BAM! There they are. They are fast, nimble and able to respond and move for customer service and engagement much quicker.
In regards to opinions, we all have them. And that is great because we all look at these articles from different lenses. Sven or one of the others post, we read and then the comment section becomes alive with the different perspectivs to enhance the topic. The articles, posters and info is what keeps me coming back. I appreciate the opinions in this.
In a personal aspect, it is nice to have a place that diffeeing opinions are ok to have. I am very much Black and White in life. Right is right and wrong is wrong. To come here and for a small moment let my guard down to a degree is nice.
But as you so correctly said, we all have and are looking for what makes us feel secure. And that is why I come back. The posts are not saying, “xyz is the ONLY one to use”. Sven leaves that open. FireFox is highly touted here. I use Brave because a lot of new info that has been coming out makes me uneasy about FireFox.
VPN, mail, text, OS, and a host of other things really are put up and healthy discussions follow.
So I agree with what you are saying. As always, thank you for a good discussion and info.
@J.M.
I agree with the companies participation on here as well – not only for new stuff but in users and new comers questions, old users complaints. That way they couldn’t shape it to their betterment, as I feel often on their ends that happens.
In other words if put nicely to them here – they could answer in fairness as not having the control over the medium and gain credibility off grid their of influence.
I understand your present time right now, but the contact I sought of you was very similar along this direction. I guess as it’s played out now, I could only tap your advice of that direction. But still your very busy and I’m not one to impose. I’m crawling with my idea and then never been in the circle.
Thanks for your answers ; )
@sonar,
I think it would help them out in the long run.
I have not forgotten about reaching out. Let me get a time to figure the best way. Thanks.
@sonar,
Agreed. I am always weary of reading manufacturers reviews…from their own sites, LOL! just looks to plasticy fake.
Wish they would set aside a few minutes or an hour or so to just sit on here and connect. Not sure how that would look as it takes time for messages to be approved but it would be awesome for them to actually get into the dirt with us instead of a white lab only situations.
I will figure something out. I did just join a thread but I cannot say what it is as it will dox me. I will figure a good meeting point. Thanks for your patience and underatanding.
Understanding.
@sonar,
I hear what you are saying and I agree. I do believe that maybe, for a personal account, they may be ok for many (I just cannot go to them again). I do agree, they are better than Gmail, Ymail, Outlook, and others, but then again, ANYTHING is better than that :). Some of the others are promising. I really like the looks of CTemplar. My biggest issue with them is, as we had shared, they presume to be entitled to the cost. They do not and told me are probably not going to offer an NPO discount. Even without the discount, what I pay for ProtonMail, I am between Knight and Marshall levels.
Comparing the Knight to the Visionary, I have more storage, more aliases, more custom domains, more emails to send out and receive. Honestly, it is only when I get to their Champion level, are they offering more (at a steep $38/month payment)! Visionary with ProtonMail will fall between their Marshall and Champion levels and even the Champion level is not much more than what I have now. All that to say I have a combining of Marshall and Champion at the price of the Knight and Marshall level (closer to Knight at $12/mo).
I agree and wish all of these companies would get on here and follow. When you go to their blog or sites, they can control the message. Here, they will be forced to deal with the discussion. I think that would help them the most.
I know Tutanota was here for a little, and I saw in the comments that someone from Epic Privacy Browser, but that was temporary. What if all the companies were able to get on here and submit their new update stuff. Then all @Sven would have to do is read through, put his notes and post. He doesn’t have to track everything down. Maybe that is a long shot.
Thank you for the kind words. It has been hard for everything that he has done and did is still evident here. But, we are getting through.
@Sven,
Thank you sir. I was wondering about that. It was hard for me to tell what you thought. I tried to reply to you directly but that did not work on my browser. I did clear my cookies and everything and tried again.
@J.M.
[Sven no direct replies possible from desktop or mobile side – today]
(https://restoreprivacy.com/email/reviews/protonmail/#comment-78588)
Good to hear your health is fine, as time away wasn’t of self personal tragedy, though it’s hard loosing a mentor and friend, I feel for you in that time which is needed to mourn their passing, the grieving and sorrow of someone close.
I think you have spelled out something important that the secure email topic misses. That is which one’s are good for business use and which aren’t at their present state.
Tutanota’s good for the novice, and as you’ve clearly pointed out not the business user – nor NPO outside of germany regulations in whats deems one.
Sven’s focus must of been encapsulation for free mail uses coming from G, Y, aol, msn and ISP’s and the like mail providers.
These newer companies I guess would be essentially writing their own pay checks today as well – that is their top leading echelon people. I think the, what was it like 10,576 backers raising of 5x the $100,000 Flexible Goal sought to launch Proton got burnt some – when big outside money came in. That’s my perspective.
No I’m a not Tutanota fanboy – it’s just besides them & Posteo both as their services are more than fair to poo folks paying for their ride.
I debate that Germany part as in the 5eyes, and their not, between them and France either could of been the 6th eye – but from what I read hasn’t happened for neither one yet.
[https://en.wikipedia.org/wiki/Five_Eyes] – **Right after 6eyes it’s calling both out as mentioned. Bottom in #76 References link tells more of why Germany’s was up in consideration.
I never consider your input an attack, debates we’ll have yes which is healthy, otherwise it’s social conversations. I’m prob off topic in something I do, and I’ll add here in a few days, but it ties loosely to your mentioned with least one other – just a union to something you’ve both mentioned is all.
I did wish Tutanota would follow Sven site and respond here to your experiences of them and their service up time. That link at the top is to your prior reply that I’m now answering, and you can use it to direct anyone here as referencing it – least for a business side of these two.
Greeting and best !!!
@Sven,
A quick follow up question, is ProtonMail a good product, in your estimation? Have they improved your opinion or gone down? I am really wondering. Thanks.
About the same as before, but a little better with the Calendar feature.
@sonar,
No problem. I appreciate your thought out answers and I do not take it as anything but a discussion. Let me try to explain where I am coming from (and I got these fired off quickly as I have finally had time to sit and read the website but this week is going to be another big one as well).
Pricing:
I pay $144 a year for both my VPN and Email combined. That is $12 a month for both. Higher than Tutanota? Yes. But please let me explain why I do this.
When I first started looking for something else than what I had (I was using Outlook at the time), I knew what I was going to have and what I was going to need. I was going to have my name and NPO in the email address itself and the NPO is registered. Therefore, for me to say this was a top secrecy thing would right there eliminate that. I realize that I was going to mainly pay for my custom domain and the email. But at the same time I wanted to try and give back to those who really needed it. The subsidizing of the Free VPN and Email for those on the outside is in fact a good way to help and while it is not a direct way to give back it does help keep them going. Tutanota offers discounts as well and I believe they do offer free for those who need it (except VPN’s).
Opening up two accounts, one with Tutanota and the other with ProtonMail, I went through the process of using both for several weeks to a couple of months to test. Both served as expected (but not equally sufficient) but the difference came in the customer service. I found Tutanota’s Customer Service lacking. Responses took a long time. The down times that I faced with Tutanota was sometimes several days. I could not access my emails as it said server was down or could not be reached. When asking to have Emails forwarded to my outlook for the time being, I got no answer. When I turned on their blog, I found that they went on a protest or something to push for saving the planet or something like that. I’m sorry. When you have a business you need to have it running. It was shortly after that I tried to go ahead and see what the next level would bring. Surely I could get better service.
I sent in my paper work to ProtonMail showing that I was an NPO and Tax Exempt. I believe, if I remember correctly, it was only about an hour later I had the discount code in hand and was ready to get it set up. Of course the email that I wanted to use was not registering. So I created a second and that ended up taking. I asked for them to transfer the credits from the second email to the one I wanted and shut down the second. This they did with no problem and within, I would say, four hours, I had a fully functioning email.
I have the DKIM, Forward Secrecy, and several other protocols all built in when I established the email. Yes, it took a while to get my email set up and yes, it was looking desperate because I had to be online with my NPO. Before I made the final payment, I reached out to Tutanota.
It was after three days I heard back from them. They had my paperwork and said it did not qualify for any NPO status. They said I needed three of four other documents to “prove” I was an NPO. As I said, this was not true as I use the same documents to set up bank accounts, tax exempt accounts, now email accounts, etc. I appealed. To date I have not heard back.
Yes, $12 a year is cheaper. But how much down time do I have to face? How much struggle do I have to go through to get help? I would rather pay the $12 a month to get both VPN and Email with quick responses and help. I have kept a backup email with Tutanota. I will say that. However, I have deleted all others that I had as both a personal and otherwise (I didn’t realize I could only have one email per free until I started getting into it).
Issues:
With ProtonMail, I will say the three times I have had issues, they have been quick to get me back up and running. And if I am truly honest, It was my fault on the issues.
With Tutanota, I downloaded the mobile app off F-Droid and their email client. On my desktop, the email client at least once a day would log me out of all my accounts so I would have to go back in and reset it all up. And at least three times a week, it would self delete off my system completely where I would have to go and redownload the whole program and start over. When I would have it and it worked, it worked good. Not great but good. The issue was that it would run into not being able to connect with the server and finally I just got tired of trying and started to use my mobile app.
That lasted a little while but it kept logging me out (I do not remember my passwords as I have them written down) and eventually it would not connect to a server for three or four days. At this point, I had enough.
With no response and no help from them, I cut and ran. I did not get the service that I needed even though they knew I wanted to go paid.
With Proton, I have not had an issue with my mobile app except for the following complaints (Proton I hope you hear this: OPEN THE APP UP ON F-DROID!): They use Google for push notifications. Yes, I have downloaded the app from the APK files but no notifications. I have, however, learned to deal with it and moved on. The installation and running of the VPN on the app is good but I have to be careful that I find the faster server as sometimes it slows my phone down. But those are minor issues.
I have never been kicked off my app (except for when I update or do something). I have always had a fast response (because of what is going on now with this virus they have slowed down but that is something I do have an understanding about). They have always given me top notch care. Here recently they have given me 10 extra GB of storage free and I do have access to their calendar (not super polished but coming).
I have always been able to connect to a server. When I haven’t, my downtime was maybe 5 minutes at most. I can live with that. I think I had that happen once so far.
Security:
I get that ProtonMail is bigger and is therefore the bigger target. But I have a friend who not only hacks companies and websites (he is a white hacker, I guess and is paid to find weaknesses) but he does IT security for a living. He looked at both. I did make a quote of what he had to say and I will try to restate it by memory.
He said that Tutanota’s security is good. His biggest issue is that they are doing their own handmade security. The risk he saw was that if it was not implemented correctly it was more dangerous than not. The reason being is because there is a false sense of security. He said the protocols that Proton is using is pretty standard and is getting stronger (4096 or whatever it is for the keys).
He said the security built into Tutanota (at the time) was lacking the DKIM and a few other things. Proton had those. Now, I know Tutanota has included that but it took a while. He liked the Forward Secrecy and the other things I can add to my account to keep it secure.
He also said the downtime is a hard thing to get over. Which I have also documented and agree. I don’t mind a few times or a little bit of time as I try to be understanding. But that was getting too much.
Lastly, about security, I asked about the Quantuum computer and Proton Mail said they are building a system to counter that. Many if not all companies are jumping and getting that set up. Tutanota, while they may be ahead (since they roll their own security) still has to overcome the other issues I documented and that they are part of the 14 eyes.
MLAT is something I do wish to comment on as well. I dug into the MLAT with the people at ProtonMail. They said to date they have never had an MLAT request. While Iceland is not part of the MLAT, EVERY email provider is bound by the laws of their nation. Hence I said, the only way to be totally private and secure online is to act as though online is a postcard.
In regards to your other comments, that is what I meant. I am not ready to become a ProtonOnly everything just yet but the more I have dealt with them, the more I like what they have and what they do. I do know the issues raised here in the article. They do have support centers in America and else where. But when you are growing as big as you are, you are bound to open more support areas. That is just natural. Everything is still under Swiss laws. for me, they fit perfectly as pictured above.
As an NPO, I send maybe two emails encrypted which contain sensitive things. Most of my contacts are using Gmail, Yahoo, Outlook, or the ISP email addresses. Do I wish I could get them all to switch over? Absolutely. But until then, that is what I am dealing with. I like how I can use my email as a regular email if need be.
I know what you are saying for simplicity. But I again argue, How can I send an email or receive it to those I need to when I cannot even log in? All of the simplicity and security does me nothing when I cannot even log in to compose a message in the first place.
As far as talking about employees, I get that they are smaller. I get that they are just a local group. I commend them for that. However, and I know it is older but it still serves my argument, how can you argue that you are small and need the benefit of the doubt but then pull this: https://www.tutanota.com/blog/posts/join-climate-strike-fridays-for-future?
That doesn’t make sense at all. The whole thing doesn’t make sense. If you are small, stay in the office. Do the job you are championing and get the systems online and working. As far as being a paid member, I was trying. I sent them the documentation. They still rejected and treated my inquiries like dirt. Sorry, it is the same thing you and I discussed with CTemplar. It is almost as if they had an entitlement to being paid. There are other companies out there.
Now, going to spam. My one email was covered, at least five times a week, with spam emails. Try as they did, Tutanota could not stop them. I did everything they asked and I had to close down that email just to stop the spamming. With ProtonMail, I had one spam. I sent it in and I have not seen anything since. Can they get hit as well? Absolutely. To me this is not a big deal. Just please take care of the issue when I send it in.
With Protonmail, I do have five aliases each with their own email. It goes back to one inbox. I can respond with any of the five without a problem which is nice since I can then respond either as the IT of my NPO, or one of the leaders of my NPO or as someone who is just a regular guy.
Well, sonar, I didn’t mean to write a book but I wanted to make sure that my reasons were not just a random, “I didn’t like it” reason. I tried. I really did. I gave them time and excuses just to keep the emails going. Granted, when I discovered I was only allowed one email per free (I will admit I did not obey that, not because I willingly chose to ignore it but because I just didn’t see it until later). Upon that discovery, I closed down all but one. That is my back up if I need it.
As I said, Tutanota holds a very special place here. If they have earned that trust and reputation, I am not going to try and just throw them under the bus. However, they are not the only operation in town. For me and my NPO, they did not fit and work. It was a fight from the start and a fight to the end.
You are right. Maybe I need to step back before posting. Problem is, especially right now, I am going full bore on the NPO. I lost my mentor and helper to cancer and the weight has fallen on me and to a lesser extent another guy. I am getting into a rythem and flow so it is not as bad as it was when this first happened but because of that, I do not necessarily have time to sit back and write. I took more time than I probably should have to compose this, so please let me finish with a statement.
It is not against you, Sven or anyone else on the site. I am not trying to attack or bash one company or another. I just want to share what I know, what I have experienced and what has happened so others, whether it is through ProtonMail or CTemplar, HushMail or any of the other number of companies, can understand what some have gone through. Does ProtonMail do everything right? I assure you no. But for what I am needing, they are batting high averages. Today I am going to delete their Bridge. I had high hopes for it and it just was not working for me. So back to the web base. So I do still cut what doesn’t work and just focus on what does, even with ProtonMail.
Please do not take this as an attack. It isn’t. The last thing I want to come across is that. I do count you as a friend and a very deep wealth of information. I like the site, I like the three that post the articles, and some of the other commentators. It is a good site and worth being part of. I have learned a lot and have grown.
Thanks again and I had better sign off as I need to get started with my day. Have a great one and be safe.
@Sven,
No problem. Thank you for the help on that.
@J.M.
[https://restoreprivacy.com/email/reviews/protonmail/#comment-53125]
“The pricing between Protonmail and Tutanota, for my NPO, is a little over 36 Euro’s a month paying for a year in advanced. Tutanota is about 6 Euro’s a year for an NPO.”
*WOW* you want to pay 36 euro’s a month x 12-months = 432 euro’s a year -over just someone who would charge you only in roughly about 6 Euro’s a year total. { I know you enough here to know – you probably meant 36 euro’s for the year paying that way…and total then }
Restore Privacy reads wouldn’t though. Please proof read – I’m bad when I proof myself as I have the idea in my head and can’t catch my own mistakes very will till a later reading.
Quote:
“So, while not a fanboy for my situation, they are a better fit.”
I take it as (Proton) = fanboy and good fit.
On encryption, they both use different and totally separate means in pulling this off – which I’d think as an NPO you’d want to offer the simplest to whomever through that NPO end – would be the less taxing for anyone not into email encryption.
Though for advanced users, PGP and S/MIME – standards do not support forward secrecy and are not resistant to attacks from quantum computers.
On Tutanota’s roadmap is an API to offer, so that Tutanota users can email communicate with users of any encrypted secure services confidentially in the future.
Maybe it’s why I see Tutanota offers a simple yet better thought out solution in encryption means for the average users benefit.
On employees both are totally different again, in one’s case they are small compared to the others case as they are larger and maybe to large – for their business side’s in users privacy.
So your talking email customer support source on teams as comparing Tutanota to a large email service that maybe farming out their customer service to others or a separate division within itself and capable to handle volumes better in customer contacts. Tutanota case you’re talking to the team member of the service, and a paying account you get extended support over it’s free tier.
On alias email addresses, both as still being different and Tutanota the clear winner with me. That’s figuratively based on email account spam and deals in it’s account security level! “Tutanota does not support plus addressing (xyz+username@tutanota.com) for Tutanota domains.” https://tutanota.com/faq/#plus
Proton supports the alias plus addressing (no-security-against-spam+username@proton.com) for the true email address underlays the alias and is being known / that is no protection against spam and any anonymity of the user nor their actual email account.
A grip seems that you did’t hit their Tutanota NPO title with them, it’s understandable if you’d consider that it’s not just a discount in the email service but the service geared to the user business end-
Tutanota at Half Price:
Schools for general education and non-profit organizations can get Tutanota with a 50% discount on all users, the whitelabel feature, the sharing feature, and Secure Connect; 20 aliases are included.
https://tutanota.com/discount
On your “initial assessment” as with any comment or reply, – I’ve found out what helps myself, is taking a step back after composing a draft, or outline to one (I’ll submit), and let it air for a day – coming back and editing it or for additions – works best for me…
Then it’s not as much of being a confusing mess (flip-flopping) for any readers following up in comments to the guides or articles Sven offers.
Just the same – I didn’t want to believe either, that the red offer was better until I’d walked in shoes of both – Tutanota hits the mark well for a novice.
https://tutanota.com/email-comparison/
I only wished to help and my words be of encouragements to you and others, I still consider you a good friend here and an outstanding ambassador for the RP site.
Thanks you Sir ; )
Sven,
Thank you for the updated info. I still see that you mention the funding aspects. Is there a place we can dig deeper into that?
I want to gauge whether thia is really a Red Herring or not. What are your thoughts? From this report, I could not tell if it went up or down in your estimation.
As far as the web based email, there is a lot of interest new one from Iceland, CTemplar, yet even they say they are using the very codes provided and maintained by ProtonMail.
I was glad to see they are wanting to work with ProtonMail and not necessarily be on the attack against them.
True, I am biased as my support by Proton, but my CS with their support, and the value I get for my NPO has been shown to be worth the cost.
Again, I see that Tutanota is posed as the biggest competitor but when I was using the free version between both, I was treated differently and not in a good way. CTemplar is too new for me to consider and too expensive.
No, I don’t work for ProtonMail nor get paid to report. My biggest criticism, nd this can be seen in a few other comments, they NEED TO GET AWAY FROM GOOGLE PLAY. Yes, I have the APK but boy, opening up on FDroid would be awesome.
Some interesting things:
ProtonDrive is in the works and is a competition to Google Drive.
The Calendar is still in beginning stage but is good for what it is.
They have given away exgra storage twice now. The last one was 5-10 GB free.
Anyway, theis are just my thoughyts and questions. Maybe biased but I find they have taken care of me and my NPO very well.
On funding, I just posted what I found and researched. It’s nothing new that others haven’t already discussed, so I don’t really have anything else to add, other than what you see in the review.
@ Julie Nov 27,
Heinrick did it:
Here it is – https://restoreprivacy.com/email/reviews/ctemplar/
Sven – I think you should review CTemplar that someone mentioned above. Looks very very interesting!
Beware if you use protonmail – if you ever upgrade, you will be forced to pay the fee forever, because they revoke access to your emails (with no exceptions and no way around it) forever if you upgrade and then let your paid time period lapse without upgrading again. So if you upgrade for one month, after that month is over they will lock your account, and only open it again if you continue to pay. So don’t upgrade protonmail unless you’re 100% certain you want to pay at least 50 euros (their cheapest plan if you pay the year at once) a year for the rest of your life, for that account.
This is objectively false.
Having been someone who has paid, then not paid, then paid again a number of times since using the service, I can say that you do not get “locked out of your account” at all.
One of the features that comes with the paid account is the ability to use more than one email address for the account, that being in addition to the one you already get for free. I used email address from my own private domain and used protonmail as the client to receive those emails.
Upon unsubscribing from the service, I did indeed lose access to those additional accounts that were added during the subscription, but I didn’t lose access to my protonmail account, or the free email address that was with it, in any way.
If you choose to stop your subscription, you will lose access to the ADDITIONAL email account/address you put in to you account with protonmail, but not to protonmail itself or the email address you go when signing up with them initially.
There is a clear distinction between that and losing access to you protonmail account completely… which you don’t.
I’ve run across some more negatives on ProtonMail from an upcoming email provider comparing themselves as good/better than Tutanota & Proton.
– Actually it was an RP readers site mention here for Sven’s review…
CTemplar offers users the world’s most secure encrypted email program. CTemplar’s security does not lie solely in its advanced encryption. CTemplar is structured and domiciled so as to best protect your data from information requests.
[[This approach and as mentioned of their About Page – https://ctemplar.com/about
researched all aspects of internet privacy in various jurisdictions in order to assure that our servers are domiciled in the most secure location.
Our legal department continues to research internet security and privacy laws throughout the world so that we may constantly provide users with the maximum level of internet privacy. If there is a proposed change in policy, we will be first to know and have a migration plan in place that ensures complete ongoing security.]]
–
[Comparison Table link: https://blog.ctemplar.com/ctemplar-comparison-table/
This is my source by the numbers but, from where does the authors sources come?
3. Subresource Integrity (SRI) makes it impossible for an attacker {from strike} hacking you (serving malicious code) during your website visit. CTemplar was the very first secure email service to enable this functionality. Several weeks after CTemplar successfully implemented it then Protonmail enabled it also.
.
6. MLAT treaties require broad and all-encompassing cooperation. If the US asks for data from a country with an MLAT treaty then the country must do everything within its power to provide what is requested. The treaty can be utilized to turn your mobile device into a tracking device recording your every move. An example of this is the Swiss MLAT treaty which can require a Swiss company to “make every effort to ascertain
the whereabouts and addresses” of their users. Countries with MLAT treaties include Belgium, Switzerland, and Canada.
.
7. Some email services, like Protonmail, maintain backdoor access to all users 2FA. They say this is because they do not want the person locked out of their account if 2FA is lost.
.
9. Swiss email services are legally required (via MLAT Treaty) to record their users IP addresses even if you disable IP tracking. Protonmail’s privacy policy states: “your IP address may be retained permanently” if they decide you qualify. The MLAT treaty requires IP tracking of users. Protonmail does not allow anonymous signup and if you attempt it they will require payment or a valid cell phone confirmation.
[Tutanota’s Terms of Service only allows 1 IP address per account. To enforce this rule they record your IP address with your account’s username so they can make sure you do not exceed 1 email address. All new accounts are disabled for 48hours as they check your username and IP address to be sure this is not your 2nd Tutanota account and to prevent abuse of their platform.]
.
10. Protonmail and CTemplar both accept Bitcoin. Tutanota does not. Bitcoin is NOT anonymous. CTemplar is the only email service that accepts payment using the most anonymous currency, Monero(XMR). ”
–
If a new email service is a possibility in 2020 for you, note this – from their blog and total news to me – – –
https://blog.ctemplar.com/ctemplar-checksum-implementation/
Your Email Service Can Hack You
Currently, all “Zero Access” email services have way of access their own users data. They make their code “Open Source” allowing anyone to review it. However, they do not serve users code from that “Open Source” depository. You are actually served code that is being sent from a server that email companies do not allow to be audited. This gives them the ability to hack their own users, revealing their own users decryption keys. We have solved this issue by implementing SRI & Checksums.
Great article, thanks!
I have few things to add. First: “This service includes migration tools ” this tool is not usable right now. It’s garbage. On Windows 10 app window not showing because invalid QT configuration. ProtonMail support not responding for request, instead of being premium user.
ProtonMail DOES NOT encrypt contact basic info: CONTACT NAME and CONTACT EMAIL ADDRES. So, if NSA, FBI or another agency want this data it’s stored as plain text. I believe contacts list is more interesting than for this agencies than mails content (source: https://www.reddit.com/r/ProtonMail/comments/dbcaea/will_all_my_protonmail_contacts_available_for/)
Proton doesn’t provide desktop client. Their ProtonMail Bridge is garbage. Laggy, buggy and cumbersone. Not reliable at all!!! Tutanota has nice desktop client, based on electron.
ProtonMail pricing is ridiculous! If you use custom domain and want catch-all you have to pay for this 75$!!! For comparison you get all this things with Tutanota for only 12$. What is more – you pay Proton 75$ and can only assign 2 custom domain. With tutanota there is no limit of custom domains and catch-all is available in basic plan.
As ProtonMail user I think, their mission is to earn as much money as they can. You have to pay for everything, such basic thing like encrypting contacts additional info (basic info cannot be encrypted). You pay 75$ a year and what you get is promises. E.g. promise for open source code of ProtonMail. For years. Promise for calendar. Promise for email search.
How come you should be to use Protonmail + Tor is better than regular protonmail dot com, hm?
Just open Tor browser, then just use this protonirockerxow.onion/login and then sign in, BOOM! Now your’re secure and protect yourself. That is it. Look at what your ip is? it is just say “Tor”, no ip address show!
https://pasteboard.co/IzTW8hp.png
so, good luck.
And plus I use 2 passwords (two functions password) like enter password is first one and then second one is decrypt password, then you’re in. Thats why I use two functions password + protonirockerxow.onion = everything safe and secure security. 😉
Public prosecutor Stephan Walder already has silenced lawyer Martin Steiger. As I just have noticed, lawyer Steiger has taken down his article on ProtonMail from his website. The title of the article is “ProtonMail Voluntarily Offers Assistance For Real-Time Surveillance” and the archive URL for the article is as following:
http://archive.is/RQolG.
Shows, what dodgy methods our privacy focused friends from ProtonMail are employing.
Here the archive URLs of lawyer Steiger’s tweets (live tweet) [in German with responses in English]:
Prosecutor Stephan Walder explains that ProtonMail collaborates with the Canton Police Zurich and their cybercrime unit:
http://archive.is/3MYUA
ProtonMail surreptitiously changed the “Transparency” Report:
http://archive.is/q2gec
Tutamail works a lot smoother and i like the clean look. Also they are working hard to add new features. Im definetly happy with tutamail more, although im also using protonmail for newsletters etc.
“ProtonMail is in talks with Huawei Technologies Co. about including its encrypted email service in future mobile devices, part of the Chinese phone maker’s plan to develop an alternative to Alphabet Inc.’s Google ecosystem.”
https://www.bloomberg.com/news/articles/2019-09-06/huawei-eyes-protonmail-as-gmail-alternative-amid-u-s-sanctions
So this “privacy company” is now partnering with a Chinese hardware company that is in bed with the Chinese government, which is responsible for large-scale censorship, mass surveillance, human right violations, and much much more……
WTF
Hi Bernd,
Crypto ‘s comment below adds – ‘Questionable ties to shady entities, Lithuanian shell companies, MIT, venture capital firms, and others’ as well.
SPYS and Spying how did the average citizen get caught up in it all?
Oh probably like me they bought a digital device in the early days and connect it to the web.
Now it’s snowballing as mankind advances in life with these devices and it’s technology . THAT we loose our borders now, THAT it opens up our lands and people to be victims of lawless enforceable actions. As it mostly stands WHERE device technologies RAPID deployment is faster than laws can be written to enforce.
– Oh then there’s this – the rules and laws within our own borders are for just about anybody on anything, but as the internet it’s happening to be border-less crime that hits a country.
Nice find : * )
Bernd,
I reached out to ProtonMail about this as it really bothered me as well. In fact, I was willing to purchase a Tutanota subscription and just pay full price (I am an NPO) just because of this.
However, I did receive a response that seems honest and fair in regards to what they are doing and why. That response is here: https://protonmail.com/blog/clarifying-protonmail-and-huawei/
As with anything, I will keep an eye on this to see what happens but in the mean time, Bloomberg is also not really well known for his honesty and uprightness either.
Another CON worth noting:
Protonmail stores names and email addresses unencrypted in the address book.
Hi Sven…
Thank you for your review of Protonmail. Could you share with us where you found they strip IP addresses from e-mails? Is this mentioned specifically on their website?
Thanks!
I don’t remember where I saw that, but they also confirmed on reddit.
Awesome, thank you! 🙂
Take care…
Considering tutanota privacy this is stated on their website: https://tutanota.com/blog/posts/data-protection-germany, I am doubtfull that tutanota is much more secure that protonmail. For example:
1. …By default, we don’t record IP addresses of our users. Therefore, IP addresses can only be recorded for a single user account after we received a valid German court order for a real time monitoring (TKÜ), but not for the past. …
Traffic data consists of:
email addresses of sender and recipient
IP address of the Tutanota client
delivery time
2. …Just like traffic data, content data can only be requested by a German judge …In case of real time monitoring (TKÜ), we have to provide contents of emails. Emails that are sent end-to-end encrypted with Tutanota can only be delivered in encrypted form. Emails that are sent unencrypted are delivered in plain text if they arrive after we have received a valid German court order for a real time monitoring (TKÜ). Plain text emails that have arrived before that have already been encrypted on the server and cannot be decrypted by us….
So! They can monitor and read all your unencrypted emails from the time the real time monitoring of your email starts. Is this secure enough for you?
Hi noname, What’s your point ?
You are describing Tutanota’s policy for “unencrypted emails” after all. That’s plain text messages – either sent/received that way!
There’s a reason usually why emails go unencrypted, of lower importance, priority, etc.
Please don’t over look the facts-
-That having a good simple form of encryption to ‘tick’ on or off for a message going to a recipient outside of Tutanota’s server eco-system.
Or
-That plain text emails received are being encrypted on their server and cannot be decrypted.
–
I see merit in your concerns but not your point of-
“Is this secure enough for you?”
for any unencrypted messages in the first place!
– Where this has hit me in concerns was if-
1. Tutanota gives the user (account holder) notice of receiving a valid German court order for a real time monitoring (TKÜ) – on said account.
– – This is Tutanota’s transparency report and warrant canary information. While in Germany a gag order is legally not possible, we want to give you peace of mind by publishing a warrant canary.
https://tutanota.com/blog/posts/transparency-report/
Finally, I encourage you and other to read-
Fighting for privacy: How encryption & data protection laws safeguard your emails.
https://tutanota.com/blog/posts/data-protection-germany/
I just starting using their business version. I was looking at using Tutanota but as a NPO the discount was too expensive. The Protonmail fit into the budget.
I like tutanota but for some countries they offer free service. Best I could get was 50%. While that is good it is still almost double what I pay now.
Since my NPO has my name in the email, I am mainly going for custom domain.
So, while not a fanboy for my situation, they are a better fit. Just my .02.
I wanted to reply to my own post. After looking at Tutanota again, I realized I had read it wrong. The pricing between Protonmail and Tutanota, for my NPO, is a little over 36 Euro’s a month paying for a year in advanced. Tutanota is about 6 Euro’s a year for an NPO.
I wanted to be fair in my initial assessment and am now in the process of trying to switch over. The cost savings helps our NPO.
Yes, Tutanota does provide discounts for non-profit organizations:
https://tutanota.com/blog/posts/secure-email-for-non-profit/
Well, trying to switch is not as easy as I had hoped.
Well, I am sticking with Protonmail.
My emails were ignored, and my paperwork, which I use to show my NPO and open bank accounts as well as establish services, was denied.
ProtonMail has been very fast at responding, they do have a new high level encryption and they also used my documents for their 50% discount.
While a little more expensive, I will pay for the better service.
Do I think Tutanota is a scam? Not at all. But I have to go with what is being shown on the receiving end.
ProtonMail seems really good and secure.
Stellar review! Thanks for reporting, Sven. I am (soon former) a Protonmail user, and I have been very happy with the their mailing service for quite a while, and despite the facts being, while unsurprisingly, shocking, their service and activism left me very satisfied. But all that was ought to be expected, Protonmail (neither any other company in the world) can’t deny a request straight from the government and the court, so no much surprise here. I have committed now to switching to other secure mailing alternatives such as Tutanota, and so far, I am pretty happy with it. Shame Protonmail had to be this way, but it had to happen sooner or later.